INFORMATION PROCESSING METHOD, RETRIEVING METHOD, DEVICE, USER TERMINAL AND SERVER

(19)

(11)

EP 2 940 959 A1

(12)	EUROPEAN PATENT APPLICATION
	published in accordance with Art. 153(4) EPC

(43)	Date of publication:
	04.11.2015 Bulletin 2015/45

(21)	Application number: 14768769.3

(22)	Date of filing: 21.03.2014

(51)

International Patent Classification (IPC):

H04L 29/06^(2006.01)

(86)	International application number:
	PCT/CN2014/073872

(87)	International publication number:
	WO 2014/146607 (25.09.2014 Gazette 2014/39)

(84)	Designated Contracting States:
	AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
	Designated Extension States:
	BA ME

(30)

Priority:

21.03.2013 CN 201310091474

(71)	Applicant: Huawei Device Co., Ltd.
	Shenzhen, Guangdong 518129 (CN)

(72)	Inventors:
	HUANG, Jiejing Shenzhen Guangdong 518129 (CN) WANG, Chan Shenzhen Guangdong 518129 (CN) WU, Huangwei Shenzhen Guangdong 518129 (CN)

(74)	Representative: Haley, Stephen
	Gill Jennings & Every LLP The Broadgate Tower 20 Primrose Street London EC2A 2ES London EC2A 2ES (GB)

(54)	INFORMATION PROCESSING METHOD, RETRIEVING METHOD, DEVICE, USER TERMINAL AND SERVER

(57) The present invention discloses an information processing method and apparatus, an information retrieval method and apparatus, a user terminal, and a server. The retrieval method includes: receiving, by a first user terminal, information, sent by a second user terminal, about an address used to save an encrypted file of the second user terminal; acquiring, from a cloud server and a trusted server, privacy information, non-privacy information, and a shared key that correspond to the address information; obtaining address information of a to-be-accessed file by searching the privacy information and the non-privacy information; acquiring, from the cloud server, a first encrypted file corresponding to the address information of the to-be-accessed file; and decrypting the first encrypted file by using the shared key, to obtain the to-be-accessed file. In the present invention, because a trusted server is introduced in an information retrieval process, an encrypted file that is uploaded to a cloud server by a user terminal can be searched by a trusted third-party user terminal, thereby making full use of performance of the cloud server while ensuring security of a user file.

Description

[0001] This application claims priority to Chinese Patent Application No. 201310091474.7, filed with the Chinese Patent Office on March 21, 2013, which is incorporated herein by reference in its entirety.

TECHNICAL FIELD

[0002] The present invention relates to the field of network communications technologies, and in particular, to an information processing method and apparatus, an information retrieval method and apparatus, a user terminal, and a server.

BACKGROUND

[0003] Cloud computing (Cloud Computing) is a technology that provides dynamically scalable virtual resources by using the Internet. A network may be conveniently accessed by using cloud computing, and storage and management of mass data may be implemented by configuring large quantities of storage devices.

[0004] Cloud computing generally requires much participation of a user. The user may upload his/her own file to a cloud server for saving. In this case, the file of the user may be open to outside users, and a third-party user may search a required file from the cloud server. Therefore, in order to protect privacy and security of user files, a user generally encrypts a file before uploading the file to a cloud server and uploads the encrypted file to the cloud server. In this case, because the file has been encrypted, a third-party user cannot obtain required information from the cloud server by means of retrieval, which makes it difficult to make full use of performance of the cloud server, thereby causing inconvenient information sharing on the Internet and low flexibility of file sharing between users.

SUMMARY

[0005] Embodiments of the present invention provide an information processing method and apparatus, an information retrieval method and apparatus, a user terminal, and a server, so as to resolve a problem of inconvenient information sharing on the Internet and low flexibility of file sharing between users in the prior art because an encrypted file in a cloud server cannot be searched.

[0006] To resolve the foregoing technical problem, the embodiments of the present invention disclose the following technical solutions:

According to a first aspect, an information processing method is provided, where the method includes:

generating privacy information and non-privacy information according to digest information of a file;

encrypting the file by using a shared key delivered by a trusted server, to obtain an encrypted file;

uploading the encrypted file and the non-privacy information to a cloud server;

receiving information, returned by the cloud server, about an address at which the encrypted file is saved; and

transmitting the address information of the encrypted file to the trusted server, so that the trusted server saves the address information.

[0007] With reference to the first aspect, in a first possible implementation manner of the first aspect, the method further includes:

transmitting the privacy information to the trusted server, so that the trusted server saves a correspondence between the privacy information and the address information.

[0008] With reference to the first aspect, in a second possible implementation manner of the first aspect, the encrypting the file by using a shared key delivered by a trusted server, to obtain an encrypted file is specifically: encrypting the file by using a first shared key delivered by the trusted server, to obtain the encrypted file; and

the method further includes: encrypting the privacy information by using a second shared key delivered by the trusted server, to obtain encrypted privacy information; and

uploading the encrypted privacy information to the cloud server.

[0009] According to a second aspect, an information processing method is provided, where the method includes:

obtaining an encrypted file and non-privacy information that are uploaded by a user terminal, where the encrypted file is the encrypted file obtained after the user terminal encrypts a file by using a shared key delivered by a trusted server, and the non-privacy information is the non-privacy information generated by the user terminal according to digest information of the file;

saving a correspondence between the encrypted file and the non-privacy information; and

delivering, to the user terminal, information about an address at which the encrypted file is saved, so that the trusted server saves the address information after the user terminal transmits the address information of the encrypted file to the trusted server.

[0010] With reference to the second aspect, in a first possible implementation manner of the second aspect, the encrypted file is specifically the encrypted file obtained after the user terminal encrypts the file by using a first shared key delivered by the trusted server; and
the method further includes:

obtaining encrypted privacy information uploaded by the user terminal, where the encrypted privacy information is the encrypted privacy information obtained after the user terminal encrypts privacy information by using a second shared key delivered by the trusted server, where the privacy information is the privacy information generated by the user terminal according to the digest information of the file.

[0011] According to a third aspect, an information processing method is provided, where the method includes:

delivering a shared key to a user terminal, so that the user terminal uploads, to a cloud server after obtaining an encrypted file by encrypting a file according to the shared key, the encrypted file and non-privacy information that is generated according to digest information of the file;

receiving address information, sent by the user terminal, of the encrypted file, where the address information is information, returned by the cloud server to the user terminal, about an address at which the encrypted file is saved; and

saving the address information.

[0012] With reference to the third aspect, in a first possible implementation manner of the third aspect, the method further includes:

receiving privacy information generated according to the digest information of the file and transmitted by the user terminal; and

saving a correspondence between the privacy information and the address information.

[0013] With reference to the third aspect, in a second possible implementation manner of the third aspect, the delivering a shared key to a user terminal, so that the user terminal encrypts a file according to the shared key to obtain an encrypted file is specifically: delivering a first shared key to the user terminal, so that the user terminal encrypts the file according to the first shared key to obtain the encrypted file; and
the method further includes: delivering a second shared key to the user terminal, so that the user terminal encrypts, according to the second shared key, privacy information that is generated according to the digest information of the file to obtain encrypted privacy information and uploads the encrypted privacy information to the cloud server.

[0014] According to a fourth aspect, an information retrieval method is provided, where the method includes:

receiving, by a first user terminal, information, sent by a second user terminal, about an address used to save an encrypted file of the second user terminal, where the address information is information, delivered to the second user terminal by the cloud server after the cloud server obtains the encrypted file and non-privacy information that are uploaded by the second user terminal, about an address at which the encrypted file is saved, where the encrypted file is an encrypted file obtained after the second user terminal encrypts a file according to a shared key delivered by a trusted server, and the non-privacy information is generated by the second user terminal according to digest information of the file;

acquiring, from the cloud server and the trusted server by the first user terminal, the non-privacy information, privacy information, and the shared key that correspond to the address information, where the privacy information is generated by the second user terminal according to the digest information of the file;

obtaining, by the first user terminal, address information of a to-be-accessed file by searching the privacy information and the non-privacy information;

acquiring, from the cloud server by the first user terminal, a first encrypted file corresponding to the address information of the to-be-accessed file; and decrypting, by the first user terminal, the first encrypted file by using the shared key, to obtain the to-be-accessed file.

[0015] With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the acquiring, from the cloud server and the trusted server by the first user terminal, privacy information, the non-privacy information, and the shared key that correspond to the address information includes:

sending, to the trusted server by the first user terminal, the information about the address used to save the encrypted file of the second user terminal;

receiving, by the first user terminal, the privacy information and the shared key that correspond to the address information and are returned by the trusted server;

sending, to the cloud server by the first user terminal, the information about the address used to save the encrypted file of the second user terminal; and receiving, by the first user terminal, the non-privacy information that corresponds to the address information and is returned by the cloud server.

[0016] With reference to the fourth aspect, in a second possible implementation manner of the fourth aspect, the acquiring, from the cloud server and the trusted server by the first user terminal, privacy information, the non-privacy information, and the shared key that correspond to the address information includes:

sending, to the trusted server by the first user terminal, the information about the address used to save the encrypted file of the second user terminal;

receiving, by the first user terminal, a first shared key and a second shared key that correspond to the address information and are returned by the trusted server;

sending, to the cloud server by the first user terminal, the information about the address used to save the encrypted file of the second user terminal;

receiving, by the first user terminal, the non-privacy information and encrypted privacy information that correspond to the address information and are returned by the cloud server; and

decrypting, by the first user terminal, the encrypted privacy information by using the second shared key, to obtain the privacy information; and the decrypting, by the first user terminal, the first encrypted file by using the shared key, to obtain the to-be-accessed file is specifically: decrypting, by the first user terminal, the first encrypted file by using the first shared key, to obtain the to-be-accessed file.

[0017] With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, or the second possible implementation manner of the fourth aspect, in a third possible implementation manner of the fourth aspect, the obtaining, by the first user terminal, address information of a to-be-accessed file by searching the privacy information and the non-privacy information includes:

matching, by the first user terminal, privacy information and non-privacy information that correspond to each piece of address information with a retrieval condition;

obtaining, according to a matching result by the first user terminal, privacy information and non-privacy information that meet the retrieval condition; and determining, by the first user terminal, address information corresponding to the privacy information and the non-privacy information that meet the retrieval condition as the address information of the to-be-accessed file.

[0018] With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, or the second possible implementation manner of the fourth aspect, or the third possible implementation manner of the fourth aspect, in a fourth possible implementation manner of the fourth aspect, the acquiring, from the cloud server by the first user terminal, a first encrypted file corresponding to the address information of the to-be-accessed file includes:

sending, by the first user terminal, the address information of the to-be-accessed file to the cloud server; and

receiving, by the first user terminal, the first encrypted file that corresponds to the address information of the to-be-accessed file and is sent by the cloud server after the cloud server queries a saved correspondence between the address information and the encrypted file.

[0019] According to a fifth aspect, an information processing apparatus is provided, where the apparatus includes:

a generating unit, configured to generate privacy information and non-privacy information according to digest information of a file;

an encrypting unit, configured to encrypt the file by using a shared key delivered by a trusted server, to obtain an encrypted file;

an uploading unit, configured to upload the encrypted file and the non-privacy information to a cloud server;

a receiving unit, configured to receive information, returned by the cloud server, about an address at which the encrypted file is saved; and

a transmitting unit, configured to transmit the address information of the encrypted file to the trusted server, so that the trusted server saves the address information.

[0020] With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect,

the transmitting unit is further configured to transmit the privacy information to the trusted server, so that the trusted server saves a correspondence between the privacy information and the address information.

[0021] With reference to the fifth aspect, in a second possible implementation manner of the fifth aspect,

the encrypting unit is specifically configured to encrypt the file by using a first shared key delivered by the trusted server, to obtain the encrypted file;

the encrypting unit is further configured to encrypt the privacy information by using a second shared key delivered by the trusted server, to obtain encrypted privacy information; and

the uploading unit is further configured to upload the encrypted privacy information to the cloud server.

[0022] According to a sixth aspect, an information processing apparatus is provided, where the apparatus includes:

an obtaining unit, configured to obtain an encrypted file and non-privacy information that are uploaded by a user terminal, where the encrypted file is the encrypted file obtained after the user terminal encrypts a file by using a shared key delivered by a trusted server, and the non-privacy information is the non-privacy information generated by the user terminal according to digest information of the file;

a saving unit, configured to save a correspondence between the encrypted file and the non-privacy information; and

a delivering unit, configured to deliver, to the user terminal, information about an address at which the encrypted file is saved, so that the trusted server saves the address information after the user terminal transmits the address information of the encrypted file to the trusted server.

[0023] With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect,

the encrypted file acquired by the obtaining unit is specifically the encrypted file obtained after the user terminal encrypts the file by using a first shared key delivered by the trusted server; and

the obtaining unit is further configured to obtain encrypted privacy information uploaded by the user terminal, where the encrypted privacy information is the encrypted privacy information obtained after the user terminal encrypts privacy information by using a second shared key delivered by the trusted server, where the privacy information is the privacy information generated by the user terminal according to the digest information of the file.

[0024] According to a seventh aspect, an information processing apparatus is provided, where the apparatus includes:

a delivering unit, configured to deliver a shared key to a user terminal, so that the user terminal uploads, to a cloud server after obtaining an encrypted file by encrypting a file according to the shared key, the encrypted file and non-privacy information that is generated according to digest information of the file;

a receiving unit, configured to receive address information, sent by the user terminal, of the encrypted file, where the address information is information, returned by the cloud server to the user terminal, about an address at which the encrypted file is saved; and

a saving unit, configured to save the address information.

[0025] With reference to the seventh aspect, in a first possible implementation manner of the seventh aspect,

the receiving unit is further configured to receive privacy information that is generated according to the digest information of the file and transmitted by the user terminal; and

the saving unit is further configured to save a correspondence between the privacy information and the address information.

[0026] With reference to the seventh aspect, in a second possible implementation manner of the seventh aspect, the delivering unit is specifically configured to deliver a first shared key to the user terminal, so that the user terminal uploads, to the cloud server after obtaining the encrypted file by encrypting the file according to the first shared key, the encrypted file and the non-privacy information that is generated according to the digest information of the file; and

the delivering unit is further configured to deliver a second shared key to the user terminal, so that the user terminal encrypts, according to the second shared key, privacy information that is generated according to the digest information of the file to obtain encrypted privacy information and uploads the encrypted privacy information to the cloud server.

[0027] According to an eighth aspect, an information retrieval apparatus is provided, where the apparatus includes:

a receiving unit, configured to receive information, sent by a second user terminal, about an address used to save an encrypted file of the second user terminal, where the address information is information, delivered to the second user terminal by the cloud server after the cloud server obtains the encrypted file and non-privacy information that are uploaded by the second user terminal, about an address at which the encrypted file is saved, where the encrypted file is an encrypted file obtained after the second user terminal encrypts a file according to a shared key delivered by a trusted server, and the non-privacy information is generated by the second user terminal according to digest information of the file;

an acquiring unit, configured to acquire, from the cloud server and the trusted server, the non-privacy information, privacy information, and the shared key that correspond to the address information, where the privacy information is generated by the second user terminal according to the digest information of the file;

a retrieving unit, configured to obtain address information of a to-be-accessed file by searching the privacy information and the non-privacy information, where the acquiring unit is further configured to acquire, from the cloud server, a first encrypted file corresponding to the address information of the to-be-accessed file; and

a decrypting unit, configured to decrypt the first encrypted file by using the shared key, to obtain the to-be-accessed file.

[0028] With reference to the eighth aspect, in a first possible implementation manner of the eighth aspect, the acquiring unit includes:

a first address sending subunit, configured to send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal; and

a first information receiving subunit, configured to receive the privacy information and the shared key that correspond to the address information and are returned by the trusted server, where

the first address sending subunit is further configured to send, to the cloud server, the information about the address used to save the encrypted file of the second user terminal; and

the first information receiving subunit is further configured to receive the non-privacy information that corresponds to the address information and is returned by the cloud server.

[0029] With reference to the eighth aspect, in a second possible implementation manner of the eighth aspect, the acquiring unit includes:

a second address sending subunit, configured to send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal;

a second information receiving subunit, configured to receive a first shared key and a second shared key that correspond to the address information and are returned by the trusted server, where

the second address sending subunit is further configured to send, to the cloud server, the information about the address used to save the encrypted file of the second user terminal; and

the second information receiving subunit is further configured to receive the non-privacy information and encrypted privacy information that correspond to the address information and are returned by the cloud server; and a second information decrypting subunit, configured to decrypt the encrypted privacy information by using the second shared key, to obtain the privacy information, where

the decrypting unit is specifically configured to decrypt the first encrypted file by using the first shared key, to obtain the to-be-accessed file.

[0030] With reference to the eighth aspect, or the first possible implementation manner of the eighth aspect, or the second possible implementation manner of the eighth aspect, in a third possible implementation manner of the eighth aspect, the retrieving unit includes:

an information matching subunit, configured to match privacy information and non-privacy information that correspond to each piece of address information with a retrieval condition;

a result obtaining subunit, configured to obtain, according to a matching result, privacy information and non-privacy information that meet the retrieval condition; and

an address determining subunit, configured to determine address information corresponding to the privacy information and the non-privacy information that meet the retrieval condition as the address information of the to-be-accessed file.

[0031] With reference to the eighth aspect, or the first possible implementation manner of the eighth aspect, or the second possible implementation manner of the eighth aspect, or the third possible implementation manner of the eighth aspect, in a fourth possible implementation manner of the eighth aspect, the acquiring unit includes:

a third address sending subunit, configured to send the address information of the to-be-accessed file to the cloud server; and

a third file receiving subunit, configured to receive the first encrypted file that corresponds to the address information of the to-be-accessed file and is sent by the cloud server after the cloud server queries a saved correspondence between the address information and the encrypted file.

[0032] According to a ninth aspect, a user terminal is provided, where the user terminal includes a bus, and a network interface, a processor, and a memory that are connected by using the bus, where

the network interface is configured to form a network connection with a trusted server and a cloud server;

the processor is configured to: generate privacy information and non-privacy information according to digest information of a file; encrypt the file by using a shared key delivered by the trusted server, to obtain an encrypted file; through the network interface, upload the encrypted file and the non-privacy information to the cloud server and receive information, returned by the cloud server, about an address at which the encrypted file is saved; and transmit the address information of the encrypted file to the trusted server through the network interface, so that the trusted server saves the address information; and

the memory is configured to save the address information of the encrypted file.

[0033] With reference to the ninth aspect, in a first possible implementation manner of the ninth aspect,

the processor is further configured to transmit the privacy information to the trusted server through the network interface, so that the trusted server saves a correspondence between the privacy information and the address information.

[0034] With reference to the ninth aspect, in a second possible implementation manner of the ninth aspect,

the processor is further configured to: encrypt the file by using a first shared key delivered by the trusted server, to obtain the encrypted file; and encrypt the privacy information by using a second shared key delivered by the trusted server, to obtain encrypted privacy information; and upload the encrypted privacy information to the cloud server through the network interface.

[0035] According to a tenth aspect, a cloud server is provided, where the cloud server includes a bus, and a network interface, a processor, and a memory that are connected by using the bus, where

the network interface is configured to form a network connection with a user terminal;

the processor is configured to obtain, through the network interface, an encrypted file and non-privacy information that are uploaded by the user terminal, where the encrypted file is the encrypted file obtained after the user terminal encrypts a file by using a shared key delivered by a trusted server, and the non-privacy information is the non-privacy information generated by the user terminal according to digest information of the file;

the memory is configured to save a correspondence between the encrypted file and the non-privacy information; and

the processor is further configured to deliver, to the user terminal through the network interface, information about an address at which the encrypted file is saved, so that the trusted server saves the address information after the user terminal transmits the address information of the encrypted file to the trusted server.

[0036] With reference to the tenth aspect, in a first possible implementation manner of the tenth aspect,

the encrypted file obtained by the processor through the network interface and uploaded by the user terminal is specifically the encrypted file obtained after the user terminal encrypts the file by using a first shared key delivered by the trusted server; and

the processor is further configured to obtain, through the network interface, encrypted privacy information uploaded by the user terminal, where the encrypted privacy information is the encrypted privacy information obtained after the user terminal encrypts privacy information by using a second shared key delivered by the trusted server, where the privacy information is the privacy information generated by the user terminal according to the digest information of the file.

[0037] According to an eleventh aspect, a trusted server is provided, where the trusted server includes a bus, and a network interface, a processor, and a memory that are connected by using the bus, where

the network interface is configured to form a network connection with a user terminal;

the processor is configured to: deliver a shared key to the user terminal through the network interface, so that the user terminal uploads, to a cloud server after obtaining an encrypted file by encrypting a file according to the shared key, the encrypted file and non-privacy information that is generated according to digest information of the file; and receive, through the network interface, address information, sent by the user terminal, of the encrypted file, where the address information is information, returned by the cloud server to the user terminal, about an address at which the encrypted file is saved; and

the memory is configured to save the address information.

[0038] With reference to the eleventh aspect, in a first possible implementation manner of the eleventh aspect,

the processor is further configured to receive, through the network interface, privacy information generated according to the digest information of the file and transmitted by the user terminal; and

the memory is further configured to save a correspondence between the privacy information and the address information.

[0039] With reference to the eleventh aspect, in a second possible implementation manner of the eleventh aspect,

the processor is specifically configured to deliver a first shared key to the user terminal through the network interface, so that the user terminal uploads, to the cloud server after obtaining the encrypted file by encrypting the file according to the first shared key, the encrypted file and the non-privacy information that is generated according to the digest information of the file; and

the processor is further configured to deliver a second shared key to the user terminal through the network interface, so that the user terminal encrypts, according to the second shared key, privacy information that is generated according to the digest information of the file to obtain encrypted privacy information and uploads the encrypted privacy information to the cloud server.

[0040] According to a twelfth aspect, a user terminal is provided, where the user terminal is used as a first user terminal, including a bus, and a network interface and a processor that are connected by using the bus, where

the network interface is configured to form a network connection with a second user terminal, a cloud server, and a trusted server; and

the processor is configured to: receive information, sent by the second user terminal, about an address used to save an encrypted file of the second user terminal, where the address information is information, delivered to the second user terminal by the cloud server after the cloud server obtains the encrypted file and non-privacy information that are uploaded by the second user terminal, about an address at which the encrypted file is saved, where the encrypted file is an encrypted file obtained after the second user terminal encrypts a file according to a shared key delivered by the trusted server, and the non-privacy information is generated by the second user terminal according to digest information of the file;

acquire, from the cloud server and the trusted server through the network interface, the non-privacy information, privacy information, and the shared key that correspond to the address information, where the privacy information is generated by the second user terminal according to the digest information of the file; obtain address information of a to-be-accessed file by searching the privacy information and the non-privacy information; acquire, from the cloud server through the network interface, a first encrypted file corresponding to the address information of the to-be-accessed file; and decrypt the first encrypted file by using the shared key, to obtain the to-be-accessed file.

[0041] With reference to the twelfth aspect, in a first possible implementation manner of the twelfth aspect,

the processor is specifically configured to: through the network interface, send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal, and receive the privacy information and the shared key that correspond to the address information and are returned by the trusted server; and through the network interface, send, to the cloud server, the information about the address used to save the encrypted file of the second user terminal, and receive the non-privacy information that corresponds to the address information and is returned by the cloud server.

[0042] With reference to the twelfth aspect, in a second possible implementation manner of the twelfth aspect,

the processor is specifically configured to: through the network interface, send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal; receive a first shared key and a second shared key that correspond to the address information and are returned by the trusted server; send, to the cloud server, the information about the address used to save the encrypted file of the second user terminal; receive the non-privacy information and encrypted privacy information that correspond to the address information and are returned by the cloud server; and decrypt the encrypted privacy information by using the second shared key, to obtain the privacy information, and decrypt the first encrypted file by using the first shared key, to obtain the to-be-accessed file.

[0043] With reference to the twelfth aspect, or the first possible implementation manner of the twelfth aspect, or the second possible implementation manner of the twelfth aspect, in a third possible implementation manner of the twelfth aspect,

the processor is specifically configured to: separately match privacy information and non-privacy information that correspond to each piece of address information with a retrieval condition; obtain, according to a matching result, privacy information and non-privacy information that meet the retrieval condition; and determine address information corresponding to the privacy information and the non-privacy information that meet the retrieval condition as the address information of the to-be-accessed file.

[0044] With reference to the twelfth aspect, or the first possible implementation manner of the twelfth aspect, or the second possible implementation manner of the twelfth aspect, or the third possible implementation manner of the twelfth aspect, in a fourth possible implementation manner of the twelfth aspect,

the processor is specifically configured to, through the network interface, send the address information of the to-be-accessed file to the cloud server and receive the first encrypted file that corresponds to the address information of the to-be-accessed file and is sent by the cloud server after the cloud server queries a saved correspondence between the address information and the encrypted file.

[0045] In the embodiments of the present invention, during information processing, a user terminal generates privacy information and non-privacy information according to digest information of a file; encrypts the file by using a shared key delivered by a trusted server, to obtain an encrypted file; uploads the encrypted file and the non-privacy information to a cloud server; receives information, returned by the cloud server, about an address at which the encrypted file is saved; and transmits the address information of the encrypted file to the trusted server, so that the trusted server saves the address information of the encrypted file. By applying the embodiments of the present invention, a cloud server saves an encrypted file and non-privacy information, and a trusted server saves address information of the encrypted file. Therefore, no third-party user terminal can directly obtain privacy information from the cloud server, but only a trusted third-party user terminal can obtain the address information of the encrypted file from the trusted server and access the privacy information according to the address information, so that the trusted third-party user terminal can search the privacy information and the non-privacy information, which enables the trusted third-party user terminal to access the encrypted file while ensuring security of the user file. During information retrieval, a first user terminal receives information, sent by a second user terminal, about an address used to save an encrypted file of the second user terminal; acquires, from a cloud server and a trusted server, privacy information, non-privacy information, and a shared key that correspond to the address information; obtains address information of a to-be-accessed file by searching the privacy information and the non-privacy information; acquires, from the cloud server, a first encrypted file corresponding to the address information of the to-be-accessed file; and decrypts the first encrypted file by using the shared key, to obtain the to-be-accessed file. By applying the embodiments of the present invention, a trusted server is introduced in an information retrieval process, so that an encrypted file uploaded to a cloud server by a user terminal can be searched by a trusted third-party user terminal. The trusted third-party user terminal may obtain required information from the cloud server by means of retrieval. Therefore, while security of a user file is ensured, performance of the cloud server can be made full use of, and convenience of information sharing on the Internet and flexibility of file sharing between users using the cloud server are improved.

BRIEF DESCRIPTION OF DRAWINGS

[0046] To describe the technical solutions in the embodiments of the present invention or in the prior art more clearly, the following briefly introduces the accompanying drawings required for describing the embodiments or the prior art. Apparently, a person of ordinary skill in the art may still derive other drawings from these accompanying drawings without creative efforts.

FIG. 1A is a flowchart of an information processing method according to one embodiment of the present invention;

FIG. 1B is a flowchart of an information processing method according to another embodiment of the present invention;

FIG. 1C is a flowchart of an information processing method according to still another embodiment of the present invention;

FIG. 2 is a flowchart of an information retrieval method according to one embodiment of the present invention;

FIG. 3 is a flowchart of an information processing method according to yet another embodiment of the present invention;

FIG. 4 is a flowchart of an information retrieval method according to another embodiment of the present invention;

FIG. 5 is a flowchart of an information processing method according to still yet another embodiment of the present invention;

FIG. 6A and FIG. 6B are flowcharts of an information retrieval method according to still another embodiment of the present invention;

FIG. 7 is a block diagram of an information processing apparatus according to one embodiment of the present invention;

FIG. 8 is a block diagram of an information processing apparatus according to another embodiment of the present invention;

FIG. 9 is a block diagram of an information processing apparatus according to still another embodiment of the present invention;

FIG. 10 is a block diagram of an information retrieval apparatus according to one embodiment of the present invention;

FIG. 11 is a block diagram of a user terminal according to one embodiment of the present invention;

FIG. 12 is a block diagram of a cloud server according to an embodiment of the present invention;

FIG. 13 is a block diagram of a trusted server according to an embodiment of the present invention; and

FIG. 14 is a block diagram of a user terminal according to another embodiment of the present invention.

DESCRIPTION OF EMBODIMENTS

[0047] The following embodiments of the present invention provide an information processing method and apparatus, an information retrieval method and apparatus, a user terminal, and a server.

[0048] To make a person skilled in the art understand the technical solutions in the embodiments of the present invention better, and make the objectives, features, and advantages of the embodiments of the present invention clearer, the following further describes in detail the technical solutions in the embodiments of the present invention with reference to the accompanying drawings.

[0049] Referring to FIG. 1A, FIG. 1A is a flowchart of an information processing method according to one embodiment of the present invention. This embodiment describes an information processing process from a user terminal side.

Step 101: A user terminal generates privacy information and non-privacy information according to digest information of a file.

[0050] The file in this embodiment of the present invention refers to a user file to be uploaded to a cloud server for saving. A type of the file may specifically be a multimedia file or a structured file, where the multimedia file may include a photo, a picture, a video, and the like; and the structured file may include a WORD document, an Extensible Markup Language (Extensible Markup Language, XML) file, and the like.

[0051] A file is formed by file content and digest information. The digest information refers to an attribute description of the file, for example, a simple attribute description on the file by a user, and a description and gist, in a form of concise texts, of the file. A photo file is used as an example. Digest information of the photo file may include one or more of the following: a person (persons) in the photo, a photo theme, a scenario in the photo, photographing time, a photographing place, a camera parameter, a pixel size, and the like. Further, the digest information may be divided into two parts: privacy information and non-privacy information. The privacy information refers to some sensitive personal information characterized by confidentiality. For a photo, for example, privacy information may include a person (persons) in the photo, a photographing place, and the like. The non-privacy information is usually not characterized by confidentiality, and therefore may be open to outside users. For a photo, for example, non-privacy information may include photographing time, a pixel size, a camera parameter, and the like.

[0052] In this embodiment of the present invention, a crawler technology, an automatic digest technology, a face recognition technology, and the like in the prior art may be used to extract the digest information from the file, and details are not described herein again. The amount of information included in the digest information may be adjusted according to an actual need, which is not limited in this embodiment of the present invention. A key in this embodiment of the present invention is to distinguish between the privacy information and the non-privacy information in the digest information, so as to ensure security of user information.

Step 102: The user terminal encrypts the file by using a shared key delivered by a trusted server, to obtain an encrypted file.

[0053] In this embodiment of the present invention, the trusted server may specifically be a server in a trusted center. The trusted center is deployed between a cloud server and a user terminal. The trusted center may issue in advance a certificate to a cloud server and a user terminal that exchange information by using the trusted server, so as to implement identity authentication between the cloud server and the user terminal, that is, the trusted center may have a certificate authority (Certificate Authority, CA) center. Moreover, the trusted center may also deliver a key to the user terminal, that is, the trusted center may further have a key distribution center (Key Distribution Center, KDC).

Step 103: The user terminal uploads the encrypted file and the non-privacy information to a cloud server.

Step 104: The user terminal receives information, returned by the cloud server, about an address at which the encrypted file is saved.

[0054] In this embodiment, after receiving the encrypted file uploaded by the user terminal, the cloud server needs to save the encrypted file and send, to the user terminal, the information about an address at which the encrypted file is saved, so that the user terminal may access, according to the address information, the file saved in the cloud server. Generally, the address information may refer to a uniform resource locator (Uniform Universal Resource Locator, URL).

Step 105: The user terminal transmits the address information of the encrypted file to the trusted server, so that the trusted server saves the address information of the encrypted file.

[0055] With reference to the foregoing embodiment, in one specific implementation manner, while transmitting the address information of the encrypted file to the trusted server, the user terminal may further transmit the privacy information that is generated according to the digest information of the file, so that the trusted server saves a correspondence between the privacy information and the address information.

[0056] With reference to the foregoing embodiment, in another specific implementation manner, the user terminal may encrypt the file by using a first shared key delivered by the trusted server, to obtain the encrypted file; and the user terminal may encrypt the privacy information by using a second shared key delivered by the trusted server, to obtain encrypted privacy information and upload the encrypted privacy information while uploading the encrypted file and the non-privacy information to the cloud server.

[0057] Referring to FIG. 1B, FIG. 1B is a flowchart of an information processing method according to another embodiment of the present invention. This embodiment describes an information processing process from a cloud server side.

Step 110: A cloud server obtains an encrypted file and non-privacy information that are uploaded by a user terminal.

[0058] The encrypted file is an encrypted file obtained after the user terminal encrypts a file by using a shared key delivered by a trusted server, and the non-privacy information is non-privacy information generated by the user terminal according to digest information of the file.

Step 111: The cloud server saves a correspondence between the encrypted file and the non-privacy information.

Step 112: The cloud server delivers, to the user terminal, information about an address at which the encrypted file is saved, so that the trusted server saves the address information after the user terminal transmits the address information of the encrypted file to the trusted server. In one specific implementation manner, the encrypted file may specifically be an encrypted file obtained after the user terminal encrypts the file by using a first shared key delivered by the trusted server. While obtaining the encrypted file and the non-privacy information that are uploaded by the user terminal, the cloud server may obtain encrypted privacy information uploaded by the user terminal. The encrypted privacy information may be encrypted privacy information obtained after the user terminal encrypts privacy information by using a second shared key delivered by the trusted server, where the privacy information is privacy information generated by the user terminal according to the digest information of the file. The first shared key and the second shared key may be the same or may be different, which is not limited in this embodiment of the present invention.

[0059] It should be noted that the foregoing information processing embodiment described from the cloud server side shown in FIG. 1B is an embodiment corresponding to the information processing embodiment described from the user terminal side shown in FIG. 1A. Therefore, for a specific information processing process and a relevant description, reference may be made to the aforementioned embodiment shown in FIG. 1A, and details are not described herein again.

[0060] Referring to FIG. 1C, FIG. 1C is a flowchart of an information processing method according to another embodiment of the present invention. This embodiment describes an information processing process from a trusted server side.

Step 120: A trusted server delivers a shared key to a user terminal, so that the user terminal uploads, to a cloud server after obtaining an encrypted file by encrypting a file according to the shared key, the encrypted file and non-privacy information that is generated according to digest information of the file.

[0061] In one specific implementation manner, the trusted server may deliver a first shared key and a second shared key to the user terminal. The first shared key is used by the user terminal to encrypt the file to obtain the encrypted file. The second shared key is used by the terminal to encrypt privacy information that is generated according to the digest information of the file, to obtain encrypted privacy information that is to be uploaded to the cloud server.

Step 121: The trusted server receives address information, sent by the user terminal, of the encrypted file, where the address information is information, returned by the cloud server to the user terminal, about an address at which the encrypted file is saved.

Step 122: The trusted server saves the address information.

[0062] In one specific implementation manner, the trusted server may further receive the privacy information generated according to the digest information of the file and transmitted by the user terminal, and save a correspondence between the privacy information and the address information.

[0063] It should be noted that the foregoing information processing embodiment described from the cloud server side shown in FIG. 1C is an embodiment corresponding to the information processing embodiment described from the user terminal side shown in FIG. 1A and the information processing embodiment described from the cloud server side shown in FIG. 1B. Therefore, for a specific information processing process and a relevant description, reference may be made to the aforementioned embodiments shown in FIG. lea and FIG. 1B, and details are not described herein again.

[0064] It may be seen from the foregoing embodiments shown in FIG. 1A to FIG. 1C that: A cloud server saves an encrypted file and non-privacy information, and a trusted server saves address information of the encrypted file; therefore, no third-party user terminal can directly obtain privacy information from the cloud server, but only a trusted third-party user terminal can obtain the address information of the encrypted file from the trusted server and access the privacy information according to the address information, so that the trusted third-party user terminal can search the privacy information and the non-privacy information, which enables the trusted third-party user terminal to access the encrypted file while ensuring security of the user file.

[0065] Referring to FIG. 2, FIG. 2 is a flowchart of an information retrieval method according to one embodiment of the present invention. This embodiment describes an information retrieval process from a user terminal side. In this embodiment, information saved in the aforementioned cloud server and that saved in an information server are used for information retrieval.

Step 201: A first user terminal receives information, sent by a second user terminal, about an address used to save an encrypted file of the second user terminal, where the address information is information, delivered to the second user terminal by a cloud server after the cloud server obtains the encrypted file and non-privacy information that are uploaded by the second user terminal, about an address at which the encrypted file is saved, where the encrypted file is an encrypted file obtained after a user terminal encrypts a file according to a shared key delivered by a trusted server, and the non-privacy information is generated by the second user terminal according to digest information of the file.

[0066] In this embodiment, it is assumed that the second user terminal is the user terminal that performs information processing and uploads the encrypted file to the cloud server according to the aforementioned embodiment shown in FIG. 1A. A user of the second user terminal grants a user of the first user terminal permission to search and access a file that is uploaded to the cloud server by the second terminal. Therefore, the second user terminal can send, to the first user terminal, the information about the address used to save the encrypted file of the second user terminal.

[0067] The second user terminal generally uploads multiple files and an encrypted file corresponding to each file has corresponding address information in the cloud server. Therefore, in this embodiment, the address information that is sent to the first user terminal by the second user terminal may be multiple pieces of address information corresponding to multiple encrypted files.

Step 202: The first user terminal acquires, from the cloud server and the trusted server, privacy information, the non-privacy information, and the shared key that correspond to the address information, where the privacy information is generated by the second user terminal according to the digest information of the file.

[0068] In this embodiment, because the first user terminal is an authorized user terminal of the second user terminal, the first user terminal may perform authentication with the trusted server before accessing the encrypted file, which is saved in the cloud server, of the second user terminal. A specific authentication manner may be user-certificate-based authentication, or one-factor-based network authentication, or two-factor-based network authentication, or multi-factor-based network authentication, which is not limited in this embodiment of the present invention. An authentication process may be initiated by the first user terminal or may be initiated by the trusted server, which is not limited in this embodiment of the present invention.

[0069] In one specific implementation manner, when the trusted server saves privacy information and the cloud server saves an encrypted file and non-privacy information, the first user terminal may send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal and receives the privacy information and the shared key that correspond to the address information and are returned by the trusted server; and the first user terminal sends, to the cloud server, the information about the address used to save the encrypted file of the second user terminal and receives the non-privacy information that corresponds to the address information and is returned by the cloud server.

[0070] In another specific implementation manner, when the cloud server saves an encrypted file, encrypted privacy information, and non-privacy information, the first user terminal may send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal and receives a first shared key and a second shared key that correspond to the address information and are returned by the trusted server; and the first user terminal sends, to the cloud server, the information about the address used to save the encrypted file of the second user terminal, receives the non-privacy information and the encrypted privacy information that correspond to the address information and are returned by the cloud server, and decrypts the encrypted privacy information by using the second shared key, to obtain the privacy information.

Step 203: The first user terminal obtains address information of a to-be-accessed file by searching the privacy information and the non-privacy information.

[0071] Optionally, the first user terminal may separately match privacy information and non-privacy information that correspond to each piece of address information with a retrieval condition, obtain, according to a matching result, privacy information and non-privacy information that meet the retrieval condition, and determine address information corresponding to the privacy information and the non-privacy information that meet the retrieval condition as the address information of the to-be-accessed file.

[0072] In one specific retrieval manner, the first user terminal may first use the non-privacy information to match a first retrieval condition, and the cloud server returns a first retrieval result, where the first retrieval result includes non-privacy information meeting the first retrieval condition and corresponding privacy information; and then the first user terminal uses the corresponding privacy information to match a second retrieval condition, and a second retrieval result is returned, where the second retrieval result includes privacy information meeting the second retrieval condition and corresponding non-privacy information. That is, the retrieval condition is decomposed into the first retrieval condition corresponding to the non-privacy information and the second retrieval condition corresponding to the privacy information, and the non-privacy information and the privacy information are matched respectively in two times of matching. It should be noted that, in an actual matching process, privacy information may be first matched and then non-privacy information is matched, or non-privacy information and privacy information may be matched at the same time, which is not limited in this embodiment of the present invention.

Step 204: The first user terminal acquires, from the cloud server, a first encrypted file corresponding to the address information of the to-be-accessed file.

[0073] Specifically, the first user terminal may send the address information of the to-be-accessed file to the cloud server. After querying a saved correspondence between the address information and the encrypted file, the cloud server obtains the first encrypted file corresponding to the address information of the to-be-accessed file and sends the first encrypted file to the first user terminal.

Step 205: The first user terminal decrypts the first encrypted file by using the shared key, to obtain the to-be-accessed file.

[0074] In step 202, when the trusted server returns a first shared key and a second shared key that correspond to the address information, the first user terminal may decrypt the first encrypted file by using the first shared key, to obtain the to-be-accessed file.

[0075] To further describe a relationship between files involved in the foregoing embodiment, an example is described as follows: it is assumed that the second user terminal has a total of N (N is a natural number) files, and that the N files are encrypted to obtain N encrypted files of the second user terminal, where the to-be-accessed file is at least one file meeting a retrieval condition in the aforementioned N files, and a file obtained after the at least one file is encrypted is the first encrypted file.

[0076] It may be seen from the foregoing embodiment that, in this embodiment of the present invention, a trusted server is introduced in an information retrieval process, so that an encrypted file uploaded to a cloud server by a user terminal can be searched by a trusted third-party user terminal. The trusted third-party user terminal may obtain required information from the cloud server by means of retrieval. Therefore, while security of a user file is ensured, performance of the cloud server can be made full use of, and convenience of information sharing on the Internet and flexibility of file sharing between users using the cloud server are improved.

[0077] With reference to interaction among a user terminal, a cloud server, and a trusted server, the following details information processing processes and information retrieval processes in the embodiments of the present invention.

[0078] Referring to FIG. 3, FIG. 3 is a flowchart of an information processing method according to another embodiment of the present invention.

Step 301: A user terminal of user A sends a key request message to a trusted server.

Step 302: The trusted server returns a shared key to the user terminal according to the key request message.

[0079] The trusted server may be configured to deliver shared keys to different user terminals. Therefore, after a shared key is delivered to each user terminal, a correspondence between a user identifier and the shared key may be saved.

Step 303: The user terminal extracts, from a to-be-uploaded file, digest information of the file and divides the digest information into privacy information and non-privacy information. Step 304: The user terminal encrypts the to-be-uploaded file by using the shared key, to obtain an encrypted file.

[0080] In this embodiment of the present invention, when the to-be-uploaded file is encrypted by using the shared key, all types of existing encryption algorithms may be used, for example, the Advanced Encryption Standard (Advanced Encryption Standard, AES) algorithm.

Step 305: The user terminal uploads the encrypted file and the non-privacy information of the file to a cloud server.

Step 306: The cloud server saves a correspondence among the received encrypted file, non-privacy information, and a user identifier.

Step 307: The cloud server returns, to the user terminal of user A, a URL at which the encrypted file is saved.

Step 308: The user terminal transmits the URL at which the encrypted file is saved and the privacy information to the trusted server.

Step 309: The trusted server saves a correspondence among the received URL, privacy information, and user identifier A.

[0081] Referring to FIG. 4, FIG. 4 is a flowchart of an information retrieval method according to another embodiment of the present invention. Based on the information obtained in the information processing embodiment shown in FIG. 3, this embodiment separately implements an information retrieval process of an unauthorized user and an information retrieval process of an authorized user.

[0082] The following steps 401 to 403 describe an information retrieval process of an unauthorized user:

Step 401: Unauthorized user B sends an information retrieval request to a cloud server by using a user terminal.

[0083] The information retrieval request may include a retrieval condition that is used for information matching.

Step 402: The cloud server queries saved non-privacy information of users according to the information retrieval request.

Step 403: The cloud server returns non-privacy information meeting the information retrieval request to the user terminal of user B.

[0084] In this embodiment of the present invention, because an unauthorized user may search only non-privacy information, saved in the cloud server, of a user, some retrieval services may be provided while security and privacy of a user file are ensured.

[0085] The following steps 404 to 417 describe an information retrieval process of an authorized user:

Step 404: A user terminal of user A sends an authorization grant message to a trusted server, where the authorization grant message grants user C permission to access an encrypted file, stored in a cloud server, of user A.

Step 405: The user terminal of user A sends a URL of the encrypted file to a user terminal of user C.

Step 406: The user terminal of user C completes identity authentication with the trusted server by using a certificate of user C.

[0086] In addition to the user-certificate-based authentication manner, one-factor-based network authentication, or two-factor-based network authentication, or multi-factor-based network authentication may also be used, which is not limited in this embodiment of the present invention.

Step 407: The user terminal of user C sends, to the trusted server, the URL at which the encrypted file is saved.

[0087] It should be noted that, optionally, in the aforementioned step 405, the user terminal of user A may not send the URL of the encrypted file to the user terminal of user C, but the trusted server actively sends, after identity authentication between the user terminal of user C and the trusted server is complete, the URL of the encrypted file of the user terminal of user A to the user terminal of user C. The user terminal of user C may have obtained authorization from multiple users. Therefore, when having a need to search a file of the user terminal of user A, the user terminal of user C may send a saved URL of the encrypted file of the user terminal of user A to the trusted server.

Step 408: The trusted server queries a saved correspondence according to the received URL to obtain privacy information and a shared key that correspond to the URL.

Step 409: The trusted server returns, to the user terminal of user C, the privacy information and the shared key that correspond to the URL.

Step 410: The user terminal of user C sends, to the cloud server, the URL at which the encrypted file is saved.

Step 411: The cloud server queries a saved correspondence according to the received URL to obtain non-privacy information corresponding to the URL.

Step 412: The cloud server returns, to the user terminal of user C, the non-privacy information corresponding to the URL.

Step 413: The user terminal of user C searches the privacy information and the non-privacy information to obtain a URL corresponding to privacy information and non-privacy information that meet a retrieval condition.

[0088] In this embodiment, the URL is information about an address used to save the encrypted file of user A. Because each URL corresponds to one encrypted file, accordingly, each URL may correspond to privacy information, non-privacy information, and a shared key of a saved encrypted file at the same time. Therefore, the user terminal of user C may save a correspondence among privacy information, a shared key, and non-privacy information of each encrypted file by using each URL as a keyword.

[0089] During retrieval, retrieval is performed according to digest information formed by privacy information and non-privacy information that correspond to a same URL. After digest information meeting a retrieval condition is obtained, a URL corresponding to the digest information is obtained according to a saved correspondence.

[0090] In one specific retrieval manner, the user terminal of user C may first use the non-privacy information in the digest information to match a first retrieval condition, and the cloud server returns a first retrieval result, where the first retrieval result includes digest information formed by non-privacy information meeting the first retrieval condition and corresponding privacy information; and then the user terminal of user C uses the privacy information in the digest information in the first retrieval result to match a second retrieval condition, and a second retrieval result is returned, where the second retrieval result includes digest information formed by privacy information and non-privacy information that meet the second retrieval condition. It should be noted that, in an actual matching process, privacy information may also be first matched and then non-privacy information is matched, or non-privacy information and privacy information may be matched at the same time, which is not limited in this embodiment.

Step 414: The user terminal of user C sends the obtained URL to the cloud server.

Step 415: The cloud server queries a correspondence according to the received URL to obtain an encrypted file corresponding to the URL.

Step 416: The cloud server returns the found encrypted file to the user terminal of user C. Step 417: The user terminal of user C decrypts the encrypted file according to the shared key of the encrypted file.

[0091] The user terminal of user C obtains, according to the saved correspondence in step 413, a shared key corresponding to the URL meeting the retrieval condition, and decrypts the received encrypted file by using the shared key.

[0092] It may be seen from the foregoing embodiment that a trusted server is introduced in an information retrieval process, so that an encrypted file uploaded to a cloud server by a user terminal can be searched by a trusted third-party user terminal. The trusted third-party user terminal may obtain required information from the cloud server by means of retrieval. Therefore, while security of a user file is ensured, performance of the cloud server can be made full use of, and convenience of information sharing on the Internet and flexibility of file sharing between users using the cloud server are improved.

[0093] Referring to FIG. 5, FIG. 5 is a flowchart of an information processing method according to another embodiment of the present invention.

Step 501: A user terminal of user A sends a key request message to a trusted server.

Step 502: The trusted server returns shared key 1 and shared key 2 to the user terminal according to the key request message.

[0094] The trusted server may be configured to deliver shared keys to different user terminals. Therefore, after a shared key is delivered to each user terminal, a correspondence among a user identifier, a first shared key, and a second shared key may be saved.

Step 503: The user terminal of user A extracts, from a to-be-uploaded file, digest information of the file and divides the digest information into privacy information and non-privacy information.

Step 504: The user terminal of user A encrypts, by using shared key 1, the to-be-uploaded file to obtain an encrypted file, and encrypts, by using shared key 2, the privacy information to obtain encrypted privacy information.

[0095] In this embodiment of the present invention, a file is formed by file content and digest information. Therefore, the user terminal of user A may encrypt the file by using shared key 1, and may also encrypt the file content by using shared key 1.

Step 505: The user terminal of user A uploads the encrypted file, the encrypted privacy information, and the non-privacy information to a cloud server.

Step 506: The cloud server saves a correspondence among the received encrypted file, encrypted privacy information, and non-privacy information and user identifier A.

Step 507: The cloud server returns, to the user terminal of user A, a URL at which the encrypted file is saved.

Step 508: The user terminal transmits the URL of the encrypted file to the trusted server.

Step 509: The trusted server saves a correspondence between the received URL and user identifier A.

[0096] Referring to FIG. 6, FIG. 6 is a flowchart of an information retrieval method according to another embodiment of the present invention. Based on the information obtained in the information processing embodiment shown in FIG. 5, this embodiment separately implements an information retrieval process of an authorized user and an information retrieval process of an unauthorized user.

[0097] The following steps 601 to 603 describe an information retrieval process of an unauthorized user:

Step 601: Unauthorized user B sends an information retrieval request to a cloud server by using a user terminal.

[0098] The information retrieval request may include a retrieval condition that is used for information matching.

Step 602: The cloud server queries saved non-privacy information of users according to the information retrieval request.

Step 603: The cloud server returns non-privacy information meeting the information retrieval request to the user terminal of user B.

[0099] In this embodiment of the present invention, because an unauthorized user may search only non-privacy information, saved in the cloud server, of a user, some retrieval services may be provided while security and privacy of a user file are ensured.

[0100] The following steps 604 to 617 describe an information retrieval process of an authorized user:

Step 604: A user terminal of user A sends an authorization grant message to a trusted server, where the authorization grant message grants user C permission to access an encrypted file, stored in a cloud server, of user A.

Step 605: The user terminal of user A sends a URL of the encrypted file to a user terminal of user C.

Step 606: The user terminal of user C completes identity authentication with the trusted server by using a certificate of user C.

[0101] In addition to the user-certificate-based authentication manner, one-factor-based network authentication, or two-factor-based network authentication, or multi-factor-based network authentication may also be used, which is not limited in this embodiment of the present invention.

Step 607: The user terminal of user C sends, to the trusted server, the URL at which the encrypted file is saved.

[0102] It should be noted that, optionally, in the aforementioned step 605, the user terminal of user A may not send the URL of the encrypted file to the user terminal of user C, but the trusted server actively sends, after identity authentication between the user terminal of user C and the trusted server is complete, the URL of the encrypted file of the user terminal of user A to the user terminal of user C. The user terminal of user C may have obtained authorization from multiple users. Therefore, when having a need to search a file of the user terminal of user A, the user terminal of user C may send a saved URL of the encrypted file of the user terminal of user A to the trusted server.

Step 608: The trusted server queries a saved correspondence according to the received URL to obtain shared key 1 and shared key 2 that correspond to the URL.

Step 609: The trusted server returns, to the user terminal of user C, shared key 1 and shared key 2 that correspond to the URL.

Step 610: The user terminal of user C sends, to the cloud server, the URL at which the encrypted file is saved.

Step 611: The cloud server queries a saved correspondence according to the received URL to obtain non-privacy information and encrypted privacy information that correspond to the URL.

Step 612: The cloud server returns, to the user terminal of user C, the non-privacy information and the encrypted privacy information that correspond to the URL.

Step 613: The user terminal of user C decrypts the encrypted privacy information by using shared key 2, to obtain privacy information.

[0103] In this embodiment, the URL is information about an address used to save the encrypted file of user A. Because each URL corresponds to one encrypted file, accordingly, each URL may correspond to encrypted privacy information, non-privacy information, and a shared key of a saved encrypted file at the same time. Therefore, the user terminal of user C may save a correspondence among encrypted privacy information, shared key 1, shared key 2, and non-privacy information of each encrypted file by using each URL as a keyword. Accordingly, when the encrypted privacy information is decrypted, the encrypted privacy information is decrypted by using shared key 2 that corresponds to the encrypted privacy information.

Step 614: The user terminal of user C searches the privacy information and the non-privacy information to obtain a URL corresponding to privacy information and non-privacy information that meet a retrieval condition.

[0104] In this embodiment, during retrieval, retrieval is performed according to digest information formed by privacy information and non-privacy information that correspond to a same URL. After digest information meeting a retrieval condition is obtained, a URL corresponding to the digest information is obtained according to a saved correspondence.

[0105] In one specific retrieval manner, the user terminal of user C may first use the non-privacy information in the digest information to match a first retrieval condition, and the cloud server returns a first retrieval result, where the first retrieval result includes digest information formed by non-privacy information meeting the first retrieval condition and corresponding privacy information; and then the user terminal of user C uses the privacy information in the digest information in the first retrieval result to match a second retrieval condition, and a second retrieval result is returned, where the second retrieval result includes digest information formed by privacy information and non-privacy information that meet the second retrieval condition. It should be noted that, in an actual matching process, privacy information may also be first matched and then non-privacy information is matched, or non-privacy information and privacy information may be matched at the same time, which is not limited in this embodiment.

Step 615: The user terminal of user C sends the obtained URL to the cloud server.

Step 616: The cloud server queries a correspondence according to the received URL to obtain an encrypted file corresponding to the URL.

Step 617: The cloud server returns the found encrypted file to the user terminal of user C. Step 618: The user terminal of user C decrypts the encrypted file according to shared key 1 of the encrypted file.

[0106] It may be seen from the foregoing embodiment that a trusted server is introduced in an information retrieval process, so that an encrypted file uploaded to a cloud server by a user terminal can be searched by a trusted third-party user terminal. The trusted third-party user terminal may obtain required information from the cloud server by means of retrieval. Therefore, while security of a user file is ensured, performance of the cloud server can be made full use of, and convenience of information sharing on the Internet and flexibility of file sharing between users using the cloud server are improved.

[0107] Corresponding to the embodiments of the information processing method and the information retrieval method of the present invention, the present invention further provides embodiments of a user terminal, a cloud server, and a trusted server.

[0108] Referring to FIG. 7, FIG. 7 is a block diagram of an information processing apparatus according to one embodiment of the present invention. The information processing apparatus may be disposed in a user terminal.

[0109] The information processing apparatus includes: a generating unit 710, an encrypting unit 720, an uploading unit 730, a receiving unit 740, and a transmitting unit 750, where

the generating unit 710 is configured to generate privacy information and non-privacy information according to digest information of a file;

the encrypting unit 720 is configured to encrypt the file by using a shared key delivered by a trusted server, to obtain an encrypted file;

the uploading unit 730 is configured to upload the encrypted file and the non-privacy information to a cloud server;

the receiving unit 740 is configured to receive information, returned by the cloud server, about an address at which the encrypted file is saved; and

the transmitting unit 750 is configured to transmit the address information of the encrypted file to the trusted server, so that the trusted server saves the address information.

[0110] In one specific implementation manner,

the transmitting unit 750 is further configured to transmit the privacy information to the trusted server, so that the trusted server saves a correspondence between the privacy information and the address information.

[0111] In another specific implementation manner,

the encrypting unit 720 is specifically configured to encrypt the file by using a first shared key delivered by the trusted server, to obtain the encrypted file;

the encrypting unit 720 is further configured to encrypt the privacy information by using a second shared key delivered by the trusted server, to obtain encrypted privacy information; and

the uploading unit 730 is further configured to upload the encrypted privacy information to the cloud server.

[0112] Referring to FIG. 8, FIG. 8 is a block diagram of an information processing apparatus according to another embodiment of the present invention. The information processing apparatus may be disposed in a cloud server.

[0113] The information processing apparatus includes: an obtaining unit 810, a saving unit 820, and a delivering unit 830, where

the obtaining unit 810 is configured to obtain an encrypted file and non-privacy information that are uploaded by a user terminal, where the encrypted file is an encrypted file obtained after the user terminal encrypts a file by using a shared key delivered by a trusted server, and the non-privacy information is non-privacy information generated by the user terminal according to digest information of the file;

the saving unit 820 is configured to save a correspondence between the encrypted file and the non-privacy information; and

the delivering unit 830 is configured to deliver, to the user terminal, information about an address at which the encrypted file is saved, so that the trusted server saves the address information after the user terminal transmits the address information of the encrypted file to the trusted server.

[0114] In one specific implementation manner,

the encrypted file acquired by the obtaining unit 810 is specifically an encrypted file obtained after the user terminal encrypts the file by using a first shared key delivered by the trusted server; and

the obtaining unit 810 is further configured to obtain encrypted privacy information uploaded by the user terminal, where the encrypted privacy information is encrypted privacy information obtained after the user terminal encrypts privacy information by using a second shared key delivered by the trusted server, where the privacy information is privacy information generated by the user terminal according to the digest information of the file.

[0115] Referring to FIG. 9, FIG. 9 is a block diagram of an information processing apparatus according to another embodiment of the present invention. The information processing apparatus may be disposed in a trusted server.

[0116] The information processing apparatus includes: a delivering unit 910, a receiving unit 920, and a saving unit 930, where

the delivering unit 910 is configured to deliver a shared key to a user terminal, so that the user terminal uploads, to a cloud server after obtaining an encrypted file by encrypting a file according to the shared key, the encrypted file and non-privacy information that is generated according to digest information of the file;

the receiving unit 920 is configured to receive address information, sent by the user terminal, of the encrypted file, where the address information is information, returned by the cloud server to the user terminal, about an address at which the encrypted file is saved; and

the saving unit 930 is configured to save the address information.

[0117] In one specific implementation manner,

the receiving unit 920 may be further configured to receive privacy information that is generated according to the digest information of the file and transmitted by the user terminal; and

the saving unit 930 may be further configured to save a correspondence between the privacy information and the address information.

[0118] In another specific implementation manner,

the delivering unit 910 may be specifically configured to deliver a first shared key to the user terminal, so that the user terminal uploads, to the cloud server after obtaining the encrypted file by encrypting the file according to the first shared key, the encrypted file and the non-privacy information that is generated according to the digest information of the file; and

the delivering unit 910 may be further configured to deliver a second shared key to the user terminal, so that the user terminal encrypts, according to the second shared key, privacy information that is generated according to the digest information of the file to obtain encrypted privacy information and uploads the encrypted privacy information to the cloud server.

[0119] Referring to FIG. 10, FIG. 10 is a block diagram of an information retrieval apparatus according to one embodiment of the present invention. The information retrieval apparatus may be disposed at a first user terminal side.

[0120] The information retrieval apparatus includes: a receiving unit 1010, an acquiring unit 1020, a retrieving unit 1030, and a decrypting unit 1040, where

the receiving unit 1010 is configured to receive information, sent by a second user terminal, about an address used to save an encrypted file of the second user terminal, where the address information is information, delivered to the second user terminal by the cloud server after the cloud server obtains the encrypted file and non-privacy information that are uploaded by the second user terminal, about an address at which the encrypted file is saved, where the encrypted file is an encrypted file obtained after the second user terminal encrypts a file according to a shared key delivered by a trusted server, and the non-privacy information is generated by the second user terminal according to digest information of the file;

the acquiring unit 1020 is configured to acquire, from the cloud server and the trusted server, the non-privacy information, privacy information, and the shared key that correspond to the address information, where the privacy information is generated by the second user terminal according to the digest information of the file;

the retrieving unit 1030 is configured to obtain address information of a to-be-accessed file by searching the privacy information and the non-privacy information;

the acquiring unit 1020 is further configured to acquire, from the cloud server, a first encrypted file corresponding to the address information of the to-be-accessed file; and

the decrypting unit 1040 is configured to decrypt the first encrypted file by using the shared key, to obtain the to-be-accessed file.

[0121] In a first specific implementation manner,

the acquiring unit 1020 may include (not shown in FIG. 10):

a first address sending subunit, configured to send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal; and

a first information receiving subunit, configured to receive the privacy information and the shared key that correspond to the address information and are returned by the trusted server, where

the first address sending subunit is further configured to send, to the cloud server, the information about the address used to save the encrypted file of the second user terminal; and

the first information receiving subunit is further configured to receive the non-privacy information that corresponds to the address information and is returned by the cloud server.

[0122] In a second specific implementation manner,
the acquiring unit 1020 may include (not shown in FIG. 10):

a second address sending subunit, configured to send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal;

a second information receiving subunit, configured to receive a first shared key and a second shared key that correspond to the address information and are returned by the trusted server, where

the second address sending subunit is further configured to send, to the cloud server, the information about the address used to save the encrypted file of the second user terminal; and

a second information decrypting subunit, configured to decrypt the encrypted privacy information by using the second shared key, to obtain the privacy information, where

the decrypting unit 1040 may be specifically configured to decrypt the first encrypted file by using the first shared key, to obtain the to-be-accessed file.

[0123] In a third specific implementation manner,
the acquiring unit 1020 may include (not shown in FIG. 10):

a third address sending subunit, configured to send the address information of the to-be-accessed file to the cloud server; and

[0124] In a fourth specific implementation manner,
the retrieving unit 1030 may include (not shown in FIG. 10):

an information matching subunit, configured to match privacy information and non-privacy information that correspond to each piece of address information with a retrieval condition;

a result obtaining subunit, configured to obtain, according to a matching result, privacy information and non-privacy information that meet the retrieval condition; and

[0125] Referring to FIG. 11, FIG. 11 is a block diagram of a user terminal according to one embodiment of the present invention. The user terminal is a terminal having an information processing function.

[0126] The terminal includes: a bus 1110, and a network interface 1120, a processor 1130, and a memory 1140 that are connected by using the bus 1110, where

the network interface 1120 is configured to form a network connection with a trusted server and a cloud server;

the processor 1130 is configured to: generate privacy information and non-privacy information according to digest information of a file; encrypt the file by using a shared key delivered by the trusted server, to obtain an encrypted file; through the network interface 1120, upload the encrypted file and the non-privacy information to the cloud server and receive information, returned by the cloud server, about an address at which the encrypted file is saved; and transmit the address information of the encrypted file to the trusted server through the network interface 1120, so that the trusted server saves the address information of the encrypted file; and

the memory 1140 is configured to save the address information of the encrypted file.

[0127] In one specific implementation manner, the processor 1130 may further transmit the privacy information to the trusted server through the network interface 1120, so that the trusted server saves a correspondence between the privacy information and the address information.

[0128] In another specific implementation manner, the processor 1130 may be further configured to: encrypt the file by using a first shared key delivered by the trusted server, to obtain the encrypted file; and encrypt the privacy information by using a second shared key delivered by the trusted server, to obtain encrypted privacy information; and upload the encrypted privacy information while uploading the encrypted file and the non-privacy information to the cloud server through the network interface 1120.

[0129] Referring to FIG. 12, FIG. 12 is a block diagram of a cloud server according to an embodiment of the present invention.

[0130] The cloud server includes: a bus 1210, and a network interface 1220, a processor 1230, and a memory 1240 that are connected by using the bus 1210, where

the network interface 1220 is configured to form a network connection with a user terminal;

the processor 1230 is configured to obtain, through the network interface 1220, an encrypted file and non-privacy information that are uploaded by the user terminal, where the encrypted file is an encrypted file obtained after the user terminal encrypts a file by using a shared key delivered by a trusted server, and the non-privacy information is non-privacy information generated by the user terminal according to digest information of the file;

the memory 1240 is configured to save a correspondence between the encrypted file and the non-privacy information; and

the processor 1230 is further configured to deliver, to the user terminal through the network interface 1220, information about an address at which the encrypted file is saved, so that the trusted server saves the address information after the user terminal transmits the address information of the encrypted file to the trusted server.

[0131] In one specific implementation manner,

the encrypted file obtained by the processor 1230 through the network interface and uploaded by the user terminal is specifically an encrypted file obtained after the user terminal encrypts the file by using a first shared key delivered by the trusted server; and

the processor 1230 may be further configured to obtain, while obtaining, through the network interface, the encrypted file and the non-privacy information that are uploaded by the user terminal, encrypted privacy information uploaded by the user terminal, where the encrypted privacy information is encrypted privacy information obtained after the user terminal encrypts privacy information by using a second shared key delivered by the trusted server, where the privacy information is privacy information generated by the user terminal according to the digest information of the file.

[0132] Referring to FIG. 13, FIG. 13 is a block diagram of a trusted server according to an embodiment of the present invention.

[0133] The trusted server includes: a bus 1310, and a network interface 1320, a processor 1330, and a memory 1340 that are connected by using the bus 1310, where

the network interface 1320 is configured to form a network connection with a user terminal;

the processor 1330 is configured: to deliver a shared key to the user terminal through the network interface 1320, so that the user terminal uploads, to a cloud server after obtaining an encrypted file by encrypting a file according to the shared key, the encrypted file and non-privacy information that is generated according to digest information of the file; and receive, through the network interface 1320, address information, sent by the user terminal, of the encrypted file, where the address information is information, returned by the cloud server to the user terminal, about an address at which the encrypted file is saved; and

the memory 1340 is configured to save the address information.

[0134] In one specific implementation manner,

the processor 1330 may be further configured to receive, through the network interface 1320, privacy information generated according to the digest information of the file and transmitted by the user terminal; and

the memory 1340 may be further configured to save a correspondence between the privacy information and the address information.

[0135] In another specific implementation manner,

the processor 1330 may be specifically configured to deliver a first shared key to the user terminal through the network interface 1320, so that the user terminal uploads, to the cloud server after obtaining the encrypted file by encrypting the file according to the first shared key, the encrypted file and the non-privacy information that is generated according to the digest information of the file; and

the processor 1330 may be further configured to deliver a second shared key to the user terminal through the network interface 1320, so that the user terminal encrypts, according to the second shared key, privacy information that is generated according to the digest information of the file to obtain encrypted privacy information and uploads the encrypted privacy information to the cloud server.

[0136] Referring to FIG. 14, FIG. 14 is a block diagram of a user terminal according to another embodiment of the present invention. The user terminal may be used as a first user terminal. When the user terminal shown in FIG. 11 is a second user terminal, the first user terminal may be used as a third-party user terminal authorized by the second user terminal to search information of the second user terminal.

[0137] The user terminal includes: a bus 1410, and a network interface 1420 and a processor 1430 that are connected by using the bus 1410, where

the network interface 1420 is configured to form a network connection with a second user terminal, a cloud server, and a trusted server; and

the processor 1430 is configured to: receive information, sent by the second user terminal, about an address used to save an encrypted file of the second user terminal, where the address information is information, delivered to the second user terminal by the cloud server after the cloud server obtains the encrypted file and non-privacy information that are uploaded by the second user terminal, about an address at which the encrypted file is saved, where the encrypted file is an encrypted file obtained after the second user terminal encrypts a file according to a shared key delivered by the trusted server, and the non-privacy information is generated by the second user terminal according to digest information of the file; acquire, from the cloud server and the trusted server through the network interface 1420, the non-privacy information, privacy information, and the shared key that correspond to the address information, where the privacy information is generated by the second user terminal according to the digest information of the file; obtain address information of a to-be-accessed file by searching the privacy information and the non-privacy information; acquire, from the cloud server through the network interface 1420, a first encrypted file corresponding to the address information of the to-be-accessed file; and decrypt the first encrypted file by using the shared key, to obtain the to-be-accessed file.

[0138] In a first specific implementation manner, the processor 1430 may be specifically configured to: through the network interface 1420, send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal, and receive the privacy information and the shared key that correspond to the address information and are returned by the trusted server; and through the network interface 1420, send, to the cloud server, the information about the address used to save the encrypted file of the second user terminal, and receive the non-privacy information that corresponds to the address information and is returned by the cloud server.

[0139] In a second specific implementation manner, the processor 1430 may be specifically configured to: through the network interface 1420, send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal; receive a first shared key and a second shared key that correspond to the address information and are returned by the trusted server; send, to the cloud server, the information about the address used to save the encrypted file of the second user terminal; receive the non-privacy information and encrypted privacy information that correspond to the address information and are returned by the cloud server; and decrypt the encrypted privacy information by using the second shared key, to obtain the privacy information, and decrypt the first encrypted file by using the first shared key, to obtain the to-be-accessed file.

[0140] In a third specific implementation manner, the processor 1430 may be specifically configured to: separately match privacy information and non-privacy information that correspond to each piece of address information with a retrieval condition; obtain, according to a matching result, privacy information and non-privacy information that meet the retrieval condition; and determine address information corresponding to the privacy information and the non-privacy information that meet the retrieval condition as the address information of the to-be-accessed file.

[0141] In a fourth specific implementation manner, the processor 1430 may be specifically configured to, through the network interface 1420, send the address information of the to-be-accessed file to the cloud server and receive the first encrypted file that corresponds to the address information of the to-be-accessed file and is sent by the cloud server after the cloud server queries a saved correspondence between the address information and the encrypted file.

[0142] It may be seen from the foregoing embodiments that, during information processing, a user terminal generates privacy information and non-privacy information according to digest information of a file; encrypts the file by using a shared key delivered by a trusted server, to obtain an encrypted file; uploads the encrypted file and the non-privacy information to a cloud server; receives information, returned by the cloud server, about an address at which the encrypted file is saved; and transmits the address information of the encrypted file to the trusted server, so that the trusted server saves the address information of the encrypted file. By applying the embodiments of the present invention, a cloud server saves an encrypted file and non-privacy information, and a trusted server saves address information of the encrypted file. Therefore, no third-party user terminal can directly obtain privacy information from the cloud server, but only a trusted third-party user terminal can obtain the address information of the encrypted file from the trusted server and access the privacy information according to the address information, so that the trusted third-party user terminal can search the privacy information and the non-privacy information, which enables the trusted third-party user terminal to access the encrypted file while ensuring security of the user file. During information retrieval, a first user terminal receives information, sent by a second user terminal, about an address used to save an encrypted file of the second user terminal; acquires, from a cloud server and a trusted server, privacy information, non-privacy information, and a shared key that correspond to the address information; obtains address information of a to-be-accessed file by searching the privacy information and the non-privacy information; acquires, from the cloud server, a first encrypted file corresponding to the address information of the to-be-accessed file; and decrypts the first encrypted file by using the shared key, to obtain the to-be-accessed file. By applying the embodiments of the present invention, a trusted server is introduced in an information retrieval process, so that an encrypted file uploaded to a cloud server by a user terminal can be searched by a trusted third-party user terminal. The trusted third-party user terminal may obtain required information from the cloud server by means of retrieval. Therefore, while security of a user file is ensured, performance of the cloud server can be made full use of, and convenience of information sharing on the Internet and flexibility of file sharing between users using the cloud server are improved.

[0143] A person skilled in the art may clearly understand that, the technique in the embodiments of the present invention may be implemented through software and a necessary general hardware platform. Based on such an understanding, the technical solutions of the present invention essentially or the part contributing to the prior art may be implemented in a form of a software product. The software product may be stored in a storage medium, such as a ROM/RAM, a hard disk, or an optical disc, and includes several instructions for instructing a computer device (which may be a personal computer, a server, or a network device) to perform the methods described in the embodiments or some parts of the embodiments of the present invention.

[0144] The embodiments in this specification are all described in a progressive manner, for same or similar parts in the embodiments, reference may be made to these embodiments, and each embodiment focuses on a difference from other embodiments. Especially, a system embodiment is basically similar to a method embodiment, and therefore is described briefly; for related parts, reference may be made to partial descriptions in the method embodiment.

[0145] The foregoing descriptions are implementation manners of the present invention, but are not intended to limit the protection scope of the present invention. Any modification, equivalent replacement, and improvement made without departing from the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims

1. An information processing method, wherein the method comprises:

generating privacy information and non-privacy information according to digest information of a file;

encrypting the file by using a shared key delivered by a trusted server, to obtain an encrypted file;

uploading the encrypted file and the non-privacy information to a cloud server;

receiving information, returned by the cloud server, about an address at which the encrypted file is saved; and

transmitting the address information of the encrypted file to the trusted server, so that the trusted server saves the address information.

2. The method according to claim 1, wherein the method further comprises:

transmitting the privacy information to the trusted server, so that the trusted server saves a correspondence between the privacy information and the address information.

3. The method according to claim 1, wherein the encrypting the file by using a shared key delivered by a trusted server, to obtain an encrypted file is specifically: encrypting the file by using a first shared key delivered by the trusted server, to obtain the encrypted file; and
the method further comprises: encrypting the privacy information by using a second shared key delivered by the trusted server, to obtain encrypted privacy information; and
uploading the encrypted privacy information to the cloud server.

4. An information processing method, wherein the method comprises:

obtaining an encrypted file and non-privacy information that are uploaded by a user terminal, wherein the encrypted file is the encrypted file obtained after the user terminal encrypts a file by using a shared key delivered by a trusted server, and the non-privacy information is the non-privacy information generated by the user terminal according to digest information of the file;

saving a correspondence between the encrypted file and the non-privacy information; and

5. The method according to claim 4, wherein the encrypted file is specifically the encrypted file obtained after the user terminal encrypts the file by using a first shared key delivered by the trusted server; and
the method further comprises:

obtaining encrypted privacy information uploaded by the user terminal, wherein the encrypted privacy information is the encrypted privacy information obtained after the user terminal encrypts privacy information by using a second shared key delivered by the trusted server, wherein the privacy information is the privacy information generated by the user terminal according to the digest information of the file.

6. An information processing method, wherein the method comprises:

receiving address information, sent by the user terminal, of the encrypted file, wherein the address information is information, returned by the cloud server to the user terminal, about an address at which the encrypted file is saved; and

saving the address information.

7. The method according to claim 6, wherein the method further comprises:

receiving privacy information generated according to the digest information of the file and transmitted by the user terminal; and

saving a correspondence between the privacy information and the address information.

8. The method according to claim 6, wherein the delivering a shared key to a user terminal, so that the user terminal encrypts a file according to the shared key to obtain an encrypted file is specifically: delivering a first shared key to the user terminal, so that the user terminal encrypts the file according to the first shared key to obtain the encrypted file; and
the method further comprises: delivering a second shared key to the user terminal, so that the user terminal encrypts, according to the second shared key, privacy information that is generated according to the digest information of the file to obtain encrypted privacy information and uploads the encrypted privacy information to the cloud server.

9. An information retrieval method, wherein the method comprises:

receiving, by a first user terminal, information, sent by a second user terminal, about an address used to save an encrypted file of the second user terminal, wherein the address information is information, delivered to the second user terminal by the cloud server after the cloud server obtains the encrypted file and non-privacy information that are uploaded by the second user terminal, about an address at which the encrypted file is saved, wherein the encrypted file is an encrypted file obtained after the second user terminal encrypts a file according to a shared key delivered by a trusted server, and the non-privacy information is generated by the second user terminal according to digest information of the file;

acquiring, from the cloud server and the trusted server by the first user terminal, the non-privacy information, privacy information, and the shared key that correspond to the address information, wherein the privacy information is generated by the second user terminal according to the digest information of the file;

obtaining, by the first user terminal, address information of a to-be-accessed file by searching the privacy information and the non-privacy information;

acquiring, from the cloud server by the first user terminal, a first encrypted file corresponding to the address information of the to-be-accessed file; and

decrypting, by the first user terminal, the first encrypted file by using the shared key, to obtain the to-be-accessed file.

10. The method according to claim 9, wherein the acquiring, from the cloud server and the trusted server by the first user terminal, the non-privacy information, privacy information, and the shared key that correspond to the address information comprises:

sending, to the trusted server by the first user terminal, the information about the address used to save the encrypted file of the second user terminal;

receiving, by the first user terminal, the privacy information and the shared key that correspond to the address information and are returned by the trusted server;

sending, to the cloud server by the first user terminal, the information about the address used to save the encrypted file of the second user terminal; and

receiving, by the first user terminal, the non-privacy information that corresponds to the address information and is returned by the cloud server.

11. The method according to claim 9, wherein the acquiring, from the cloud server and the trusted server by the first user terminal, the non-privacy information, privacy information, and the shared key that correspond to the address information comprises:

sending, to the trusted server by the first user terminal, the information about the address used to save the encrypted file of the second user terminal;

receiving, by the first user terminal, a first shared key and a second shared key that correspond to the address information and are returned by the trusted server;

sending, to the cloud server by the first user terminal, the information about the address used to save the encrypted file of the second user terminal;

receiving, by the first user terminal, the non-privacy information and encrypted privacy information that correspond to the address information and are returned by the cloud server; and

decrypting, by the first user terminal, the encrypted privacy information by using the second shared key, to obtain the privacy information; and

the decrypting, by the first user terminal, the first encrypted file by using the shared key, to obtain the to-be-accessed file is specifically: decrypting, by the first user terminal, the first encrypted file by using the first shared key, to obtain the to-be-accessed file.

12. The method according to any one of claims 9 to 11, wherein the obtaining, by the first user terminal, address information of a to-be-accessed file by searching the privacy information and the non-privacy information comprises:

matching, by the first user terminal, privacy information and non-privacy information that correspond to each piece of address information with a retrieval condition;

obtaining, according to a matching result by the first user terminal, privacy information and non-privacy information that meet the retrieval condition; and

determining, by the first user terminal, address information corresponding to the privacy information and the non-privacy information that meet the retrieval condition as the address information of the to-be-accessed file.

13. The method according to any one of claims 9 to 12, wherein the acquiring, from the cloud server by the first user terminal, a first encrypted file corresponding to the address information of the to-be-accessed file comprises:

sending, by the first user terminal, the address information of the to-be-accessed file to the cloud server; and

14. An information processing apparatus, wherein the apparatus comprises:

a generating unit, configured to generate privacy information and non-privacy information according to digest information of a file;

an encrypting unit, configured to encrypt the file by using a shared key delivered by a trusted server, to obtain an encrypted file;

an uploading unit, configured to upload the encrypted file and the non-privacy information to a cloud server;

a receiving unit, configured to receive information, returned by the cloud server, about an address at which the encrypted file is saved; and

a transmitting unit, configured to transmit the address information of the encrypted file to the trusted server, so that the trusted server saves the address information.

15. The apparatus according to claim 14, wherein:

16. The apparatus according to claim 14, wherein:

the encrypting unit is specifically configured to encrypt the file by using a first shared key delivered by the trusted server, to obtain the encrypted file;

the encrypting unit is further configured to encrypt the privacy information by using a second shared key delivered by the trusted server, to obtain encrypted privacy information; and

the uploading unit is further configured to upload the encrypted privacy information to the cloud server.

17. An information processing apparatus, wherein the apparatus comprises:

an obtaining unit, configured to obtain an encrypted file and non-privacy information that are uploaded by a user terminal, wherein the encrypted file is the encrypted file obtained after the user terminal encrypts a file by using a shared key delivered by a trusted server, and the non-privacy information is the non-privacy information generated by the user terminal according to digest information of the file;

a saving unit, configured to save a correspondence between the encrypted file and the non-privacy information; and

18. The apparatus according to claim 17, wherein the encrypted file acquired by the obtaining unit is specifically the encrypted file obtained after the user terminal encrypts the file by using a first shared key delivered by the trusted server; and
the obtaining unit is further configured to obtain encrypted privacy information uploaded by the user terminal, wherein the encrypted privacy information is the encrypted privacy information obtained after the user terminal encrypts privacy information by using a second shared key delivered by the trusted server, wherein the privacy information is the privacy information generated by the user terminal according to the digest information of the file.

19. An information processing apparatus, wherein the apparatus comprises:

a receiving unit, configured to receive address information, sent by the user terminal, of the encrypted file, wherein the address information is information, returned by the cloud server to the user terminal, about an address at which the encrypted file is saved; and

a saving unit, configured to save the address information.

20. The apparatus according to claim 19, wherein:

the receiving unit is further configured to receive privacy information that is generated according to the digest information of the file and transmitted by the user terminal; and

the saving unit is further configured to save a correspondence between the privacy information and the address information.

21. The apparatus according to claim 19, wherein:

the delivering unit is specifically configured to deliver a first shared key to the user terminal, so that the user terminal uploads, to the cloud server after obtaining the encrypted file by encrypting the file according to the first shared key, the encrypted file and the non-privacy information that is generated according to the digest information of the file; and

22. An information retrieval apparatus, wherein the apparatus comprises:

a receiving unit, configured to receive information, sent by a second user terminal, about an address used to save an encrypted file of the second user terminal, wherein the address information is information, delivered to the second user terminal by the cloud server after the cloud server obtains the encrypted file and non-privacy information that are uploaded by the second user terminal, about an address at which the encrypted file is saved, wherein the encrypted file is an encrypted file obtained after the second user terminal encrypts a file according to a shared key delivered by a trusted server, and the non-privacy information is generated by the second user terminal according to digest information of the file;

an acquiring unit, configured to acquire, from the cloud server and the trusted server, the non-privacy information, privacy information, and the shared key that correspond to the address information, wherein the privacy information is generated by the second user terminal according to the digest information of the file;

a retrieving unit, configured to obtain address information of a to-be-accessed file by searching the privacy information and the non-privacy information, wherein

the acquiring unit is further configured to acquire, from the cloud server, a first encrypted file corresponding to the address information of the to-be-accessed file; and

a decrypting unit, configured to decrypt the first encrypted file by using the shared key, to obtain the to-be-accessed file.

23. The apparatus according to claim 22, wherein the acquiring unit comprises:

a first address sending subunit, configured to send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal; and

a first information receiving subunit, configured to receive the privacy information and the shared key that correspond to the address information and are returned by the trusted server, wherein

the first address sending subunit is further configured to send, to the cloud server, the information about the address used to save the encrypted file of the second user terminal; and

the first information receiving subunit is further configured to receive the non-privacy information that corresponds to the address information and is returned by the cloud server.

24. The apparatus according to claim 22, wherein the acquiring unit comprises:

a second address sending subunit, configured to send, to the trusted server, the information about the address used to save the encrypted file of the second user terminal;

a second information receiving subunit, configured to receive a first shared key and a second shared key that correspond to the address information and are returned by the trusted server, wherein

the second address sending subunit is further configured to send, to the cloud server, the information about the address used to save the encrypted file of the second user terminal; and

a second information decrypting subunit, configured to decrypt the encrypted privacy information by using the second shared key, to obtain the privacy information, wherein

the decrypting unit is specifically configured to decrypt the first encrypted file by using the first shared key, to obtain the to-be-accessed file.

25. The apparatus according to any one of claims 22 to 24, wherein the retrieving unit comprises:

an information matching subunit, configured to match privacy information and non-privacy information that correspond to each piece of address information with a retrieval condition;

a result obtaining subunit, configured to obtain, according to a matching result, privacy information and non-privacy information that meet the retrieval condition; and

26. The apparatus according to any one of claims 22 to 25, wherein the acquiring unit comprises:

a third address sending subunit, configured to send the address information of the to-be-accessed file to the cloud server; and

Drawing

Search report

Cited references

REFERENCES CITED IN THE DESCRIPTION

This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description

CN201310091474 [0001]